Using unsafe Jackson deserialization configuration is security-sensitive. It has led in the past to the following vulnerabilities:
When Jackson is configured to allow Polymorphic Type Handling (aka PTH), formerly known as Polymorphic Deserialization, "deserialization gadgets" may allow an attacker to perform remote code execution.
This rule raises an issue when:
enableDefaultTyping()
is called on an instance of com.fasterxml.jackson.databind.ObjectMapper
or
org.codehaus.jackson.map.ObjectMapper
. @JsonTypeInfo
is set at class or field levels and configured with use = JsonTypeInfo.Id.CLASS)
or use = Id.MINIMAL_CLASS
. There is a risk if you answered yes to any of those questions.
jackson-databind
blocking the already discovered "deserialization gadgets". ObjectMapper.enableDefaultTyping()
. @JsonTypeInfo(use = Id.NAME)
instead of @JsonTypeInfo(use = Id.CLASS)
or @JsonTypeInfo(use =
Id. MINIMAL_CLASS)
and so rely on @JsonTypeName
and @JsonSubTypes
. ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(); // Sensitive
@JsonTypeInfo(use = Id.CLASS) // Sensitive abstract class PhoneNumber { }